{ "affected": [ { "ranges": [ { "events": [ { "introduced": "9734e25fbf5ae68eb04234b2cd14a4b36ab89141" }, { "fixed": "d689135aa9c5e4e0eab5a92bbe35dab0c8d6677f" }, { "fixed": "b64fdd422a85025b5e91ead794db9d3ef970e369" } ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "type": "GIT" } ] } ], "database_specific": { "cna_assigner": "Linux", "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/39xxx/CVE-2025-39821.json" }, "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nperf: Avoid undefined behavior from stopping/starting inactive events\n\nCalling pmu-\u003estart()/stop() on perf events in PERF_EVENT_STATE_OFF can\nleave event-\u003ehw.idx at -1. When PMU drivers later attempt to use this\nnegative index as a shift exponent in bitwise operations, it leads to UBSAN\nshift-out-of-bounds reports.\n\nThe issue is a logical flaw in how event groups handle throttling when some\nmembers are intentionally disabled. Based on the analysis and the\nreproducer provided by Mark Rutland (this issue on both arm64 and x86-64).\n\nThe scenario unfolds as follows:\n\n 1. A group leader event is configured with a very aggressive sampling\n period (e.g., sample_period = 1). This causes frequent interrupts and\n triggers the throttling mechanism.\n 2. A child event in the same group is created in a disabled state\n (.disabled = 1). This event remains in PERF_EVENT_STATE_OFF.\n Since it hasn't been scheduled onto the PMU, its event-\u003ehw.idx remains\n initialized at -1.\n 3. When throttling occurs, perf_event_throttle_group() and later\n perf_event_unthrottle_group() iterate through all siblings, including\n the disabled child event.\n 4. perf_event_throttle()/unthrottle() are called on this inactive child\n event, which then call event-\u003epmu-\u003estart()/stop().\n 5. The PMU driver receives the event with hw.idx == -1 and attempts to\n use it as a shift exponent. e.g., in macros like PMCNTENSET(idx),\n leading to the UBSAN report.\n\nThe throttling mechanism attempts to start/stop events that are not\nactively scheduled on the hardware.\n\nMove the state check into perf_event_throttle()/perf_event_unthrottle() so\nthat inactive events are skipped entirely. This ensures only active events\nwith a valid hw.idx are processed, preventing undefined behavior and\nsilencing UBSAN warnings. The corrected check ensures true before\nproceeding with PMU operations.\n\nThe problem can be reproduced with the syzkaller reproducer:", "id": "CVE-2025-39821", "modified": "2026-04-01T23:08:55.502270023Z", "published": "2025-09-16T13:00:20.805Z", "references": [ { "type": "WEB", "url": "https://git.kernel.org/stable/c/b64fdd422a85025b5e91ead794db9d3ef970e369" }, { "type": "WEB", "url": "https://git.kernel.org/stable/c/d689135aa9c5e4e0eab5a92bbe35dab0c8d6677f" }, { "type": "ADVISORY", "url": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/39xxx/CVE-2025-39821.json" }, { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-39821" }, { "type": "PACKAGE", "url": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git" } ], "schema_version": "1.7.3", "severity": [ { "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "type": "CVSS_V3" } ], "summary": "perf: Avoid undefined behavior from stopping/starting inactive events" }